From 0f80873aa4d67417c3ea2657d273d358d85712ca Mon Sep 17 00:00:00 2001 From: V Date: Fri, 28 Jul 2023 21:33:44 +0200 Subject: [PATCH] lftp: use openssl instead of gnutls fixes lftp failing to verify sites secured with letsencrypt. - more specifically, lftp doesn't validate the cross-signed ISRG Root X1 correctly[1][2]. - this issue is not present when built against openssl. - a fix for the gnutls codepath has been merged[3], but the project has not seen a release since 2020. - given this, and the questionable quality of gnutls, it seems reasonable to build with openssl instead. reproducing this bug yields the following: > Fatal error: Certificate verification: Not trusted (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF) [1]: https://askubuntu.com/questions/1366456/lftp-certificate-suddenly-not-trusted#comment2395548_1366818 [2]: https://github.com/lavv17/lftp/issues/641 [3]: https://github.com/lavv17/lftp/pull/642 Change-Id: Ib161d8741f6d6debde8a65d94a6c1965b23f82ff --- pkgs/tools/networking/lftp/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/lftp/default.nix b/pkgs/tools/networking/lftp/default.nix index 88ee2d44cb93..aaa26a38c3ae 100644 --- a/pkgs/tools/networking/lftp/default.nix +++ b/pkgs/tools/networking/lftp/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, gnutls, pkg-config, readline, zlib, libidn2, gmp, libiconv, libunistring, gettext }: +{ lib, stdenv, fetchurl, openssl, pkg-config, readline, zlib, libidn2, gmp, libiconv, libunistring, gettext }: stdenv.mkDerivation rec { pname = "lftp"; @@ -14,11 +14,12 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config ]; - buildInputs = [ gnutls readline zlib libidn2 gmp libiconv libunistring gettext ]; + buildInputs = [ openssl readline zlib libidn2 gmp libiconv libunistring gettext ]; hardeningDisable = lib.optional stdenv.isDarwin "format"; configureFlags = [ + "--with-openssl" "--with-readline=${readline.dev}" "--with-zlib=${zlib.dev}" "--without-expat"